BOUNDARY - Script for Boundary to connect to Kubernetes cluster

Avatar
Ashish Garg
  • Updated

 

Introduction

In order to connect to Kubernetes cluster via Boundary, the below set of steps must be performed:

  • authenticate to Boundary
  • authorize the session
  • obtain the authorization token
  • generate the proxy url/port/session
  • open a new session of the same VM
  • export the port/service account token &
  • run the kubectl commands to obtain the required details from Kubernetes Cluster

which is a time-consuming task.

Solution:

In the interest of time, a shell script can be used that will perform all the above tasks, and the same VM session can be used to connect to the Kubernetes Cluster through Boundary.

*Note:- BOUNDARY_ADDR & BOUNDARY_TOKEN environment variable need to be set before running the script.

This script has been tested with BOUNDARY ENTERPRISE 0.13.2+ent version

Configure below variables in the script:

K8S_CA_CERT_PATH - Kubernetes cluster CA certificate path
BOUNDARY_SCOPE_ID - Boundary project ID for which the Kubernetes target is created.
K8S_TLS_SERVER_NAME - TLS server name in Kubernetes cluster CA certificate
TARGET_NAME - Target name to whom you want to connect

#!/bin/bash
#I have provided the dummy entries for the variables
export BOUNDARY_LISTEN_ADDRESS=127.0.0.1
export BOUNDARY_LISTEN_PORT=65000
export K8S_SERVER=https://$BOUNDARY_LISTEN_ADDRESS:$BOUNDARY_LISTEN_PORT
export K8S_CA_CERT_PATH=/home/vagrant/ca.crt
export K8S_TLS_SERVER_NAME=kubernetes
export BOUNDARY_SCOPE_ID=p_aE5cK8FLcs
export TARGET_NAME=my-kubernetes-cluster-target

eval $(boundary targets authorize-session -token="env://BOUNDARY_TOKEN" -name $TARGET_NAME -format json | jq -r '"export AUTHZ_TOKEN="+.item.authorization_token, (.item.credentials[].secret.decoded.service_account_token | select(. != null) | "export K8S_TOKEN="+.)')

echo "Setting alias \"kb\" to run kubectl commands against the local Boundary session"

alias kb="kubectl --server $K8S_SERVER --token $K8S_TOKEN --certificate-authority $K8S_CA_CERT_PATH --tls-server-name $K8S_TLS_SERVER_NAME"

boundary connect -authz-token $AUTHZ_TOKEN -listen-addr $BOUNDARY_LISTEN_ADDRESS -listen-port $BOUNDARY_LISTEN_PORT &
echo "You may now use \"kb\" to run kubectl commands"

Once the script executes; it will create a proxy which will listen on 127.0.0.1:65000. Hit enter and continue in the same session to run the below command.
The below command gets you access to the Kubernetes cluster


source ./connect_k8s.sh
#Above command should create a new Boundary session on 127.0.0.1:65000

#Use alias kb to run "kubectl" commands
kb get pods

 

 

 

 

Articles in this section

Related articles